Counting superspecial Richelot isogenies by reduced automorphism groups (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

The recent cryptanalysis by Costello and Smith [10] employed the subgraphs whose vertices consist of decomposed principally polarized abelian varieties, hence it is important to study the subgraphs in isogeny-based cryptography. Katsura and Takashima [22] initiated the investigation of the decomposed abelian surface subgraphs in the genus-2 case. This paper surveys the work, aiming to provide a kind of handbook for applying our results to cryptography

Quantum Algorithms for Attacking Hardness Assumptions in Classical and Post‐Quantum Cryptography

In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future

Isogeny-based post-quantum key exchange protocols

The goal of this project is to understand and analyze the supersingular isogeny Diffie Hellman (SIDH), a post-quantum key exchange protocol which security lies on the isogeny-finding problem between supersingular elliptic curves. In order to do so, we first introduce the reader to cryptography focusing on key agreement protocols and motivate the rise of post-quantum cryptography as a necessity with the existence of the model of quantum computation. We review some of the known attacks on the SIDH and finally study some algorithmic aspects to understand how the protocol can be implemented

Security Analysis of Isogeny-Based Cryptosystems

Let $E$ be a supersingular elliptic curve over a finite field. In this document we study public-key encryption schemes which use non-constant rational maps from $E$. The purpose of this study is to determine if such cryptosystems are secure. Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered. The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis: SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms. In each case the relevent background material is presented to develop the theory. In studying the security of SIDH when the endomorphism ring of the base curve $E$ is known, one of the main results is the following. This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in \End(E). \begin{thm} Given \begin{enumerate} \item a supersingular elliptic curve E/\FQ such that $p = N_1 N_2 - 1$ for coprime $N_1\approx N_2$, where $N_2$ is $\log p$-smooth, \item an elliptic curve $E'$ that is the codomain of an $N_1$-isogeny $\phi:E\rightarrow E'$, \item the action of $\phi$ on $E[N_2]$, and \item a $k$-endomorphism $\psi$ of $E$, where $\gcd(k, N_1) = 1$, and if \g is the greatest integer such that $g\mid N_2^2$ and $g\mid k$, then \h := \frac{k}{g} < N_1, \end{enumerate} there exists a classical algorithm with worst case runtime \tilde{O}(\h^3) which decides whether $\psi(\ker\phi) = \ker\phi$ or not, but may give false positives with probability $\approx \frac{1}{\sqrt{p}}$. Further, if \h is $\log{p}$-smooth, then the runtime is \tilde{O} (\sqrt{\h}). \end{thm} In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused. \begin{thm} Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key $(E_B,\phi_B(P_A),\phi_B(Q_A))$ to some $(E_B,R,S)$ which is malicious for SIDH. \end{thm} It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves. A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime $O(p^{1/2}(\log p)^2)$. In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined. The first three were all proposed by the same authors and use secret endomorphisms. These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently. The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem. This proposal is also shown to be totally insecure

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure

The Cost to Break SIKE: A Comparative Hardware-Based Analysis with AES and SHA-3

This work presents a detailed study of the classical security of the post-quantum supersingular isogeny key encapsulation (SIKE) protocol using a realistic budget-based cost model that considers the actual computing and memory costs that are needed for cryptanalysis. In this effort, we design especially-tailored hardware accelerators for the time-critical multiplication and isogeny computations that we use to model an ASIC-powered instance of the van Oorschot-Wiener (vOW) parallel collision search algorithm. We then extend the analysis to AES and SHA-3 in the context of the NIST post-quantum cryptography standardization process to carry out a parameter analysis based on our cost model. This analysis, together with the state-of-the-art quantum security analysis of SIKE, indicates that the current SIKE parameters offer higher practical security than currently believed, closing an open issue on the suitability of the parameters to match NIST\u27s security levels. In addition, we explore the possibility of using significantly smaller primes to enable more efficient and compact implementations with reduced bandwidth. Our improved cost model and analysis can be applied to other cryptographic settings and primitives, and can have implications for other post-quantum candidates in the NIST process

Improved Classical Cryptanalysis of SIKE in Practice

Item does not contain fulltextPKC 202

Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves

Finding isogenies between supersingular elliptic curves is a natural algorithmic problem which is known to be equivalent to computing the curves\u27 endomorphism rings. When the isogeny is additionally required to have a specific degree $d$, the problem appears to be somewhat different in nature, yet it is also considered a hard problem in isogeny-based cryptography. Let $E_1,E_2$ be supersingular elliptic curves over $\mathbb{F}_{p^2}$. We present improved classical and quantum algorithms that compute an isogeny of degree $d$ between $E_1$ and $E_2$ if it exists. Let the sought-after degree be $d = p^{1/2+ \epsilon}$ for some $\epsilon>0$. Our essentially memory-free algorithms have better time complexity than meet-in-the-middle algorithms, which require exponential memory storage, in the range $1/2\leq\epsilon\leq 3/4$ on a classical computer and quantum improvements in the range $0<\epsilon<5/2$